Bradley Wilson, Thomas Goughnour
U.S. Marine Corps Systems Command asked the RAND Corporation to assess the Marine Corps offensive cyber operations acquisition life cycle and identify ways to improve the transparency of related decisionmaking. The authors brought together data on operational capability, scheduling, and risk to develop a life-cycle cost-estimating framework. This framework should help Joint Cyber Weapons (JCW) program leadership understand the potential costs and provide additional guidance on budgeting considerations. It incorporates five classes of inputs and has three types of outputs.
In creating the framework, the authors considered the demand for exploits from the operational user, as well as the type of cyber weapon (e.g., exploit, implant, payload), the weapon's target environment (e.g., desktop or mobile systems), vulnerability decay rate, the adversary's defense capabilities, weapon cost, and how various acquisitions are phased in and out of service over time. The framework also addresses the production of cyber weapons, their costs, and how uncertainties are distributed over a specified period. The authors conducted exploratory modeling and simulation to better understand associated uncertainties and model inputs.
Key Findings
An assessment of the life spans of 133 historic vulnerabilities using open-source information found that the mean life span can be quite short for mobile and desktop vulnerabilities (three to five months, respectively) in situations in which potential adversaries have a high defense level (i.e., an ability to rapidly identify and patch a vulnerability).
The available data and assumptions about operational demand suggest significant uncertainty in the potential cost of the JCW program—a five-year total cost between $90 million and $290 million.
The cost-estimating framework presented in this report represents a foundation that will benefit from incremental improvements as understanding of the challenges improves and as additional historical data become available.
Recommendations
Consider the significant uncertainty of the life span of vulnerabilities during program planning and budgeting.
Collect historical data (and plan to collect future data) on the cost of procuring and operationalizing exploits.
No comments:
Post a Comment